b=543682; don't let js array holes escape via typed arrays; r=jorendorff

2010-03-03 16:20:41 -08:00 · 2010-03-03 16:20:41 -08:00 · a28d54e951
--- a/js/src/jstypedarray.cpp
+++ b/js/src/jstypedarray.cpp
@ -920,7 +920,7 @@ class TypedArrayTemplate
    {
        NativeType *dest = static_cast<NativeType*>(data);

-        if (ar->isDenseArray()) {
+        if (ar->isDenseArray() && js_DenseArrayCapacity(ar) >= len) {
            JS_ASSERT(ar->fslots[JSSLOT_ARRAY_LENGTH] == (jsval)len);

            jsval *src = ar->dslots;
@ -931,6 +931,12 @@ class TypedArrayTemplate
                    *dest++ = NativeType(JSVAL_TO_INT(v));
                } else if (JSVAL_IS_DOUBLE(v)) {
                    *dest++ = NativeType(*JSVAL_TO_DOUBLE(v));
+                } else if (v == JSVAL_HOLE) {
+                    // Holes convert to 0.
+                    // XXX for floating-point arrays, they should convert to NaN
+                    // Note that the int32() is necessary, because on MSVC int32 is not the
+                    // same as int, and there's no constructor for uint8_clamped(int).
+                    *dest++ = NativeType(int32(0));
                } else {
                    jsdouble dval;
                    if (!JS_ValueToNumber(cx, v, &dval))
@ -950,6 +956,9 @@ class TypedArrayTemplate
                    *dest++ = NativeType(JSVAL_TO_INT(v));
                } else if (JSVAL_IS_DOUBLE(v)) {
                    *dest++ = NativeType(*JSVAL_TO_DOUBLE(v));
+                } else if (v == JSVAL_VOID) {
+                    // See earlier comment about why int32(0) is necessary
+                    *dest++ = NativeType(int32(0));
                } else {
                    jsdouble dval;
                    if (!JS_ValueToNumber(cx, v, &dval))
--- a/js/src/tests/js1_8_5/extensions/typedarray.js
+++ b/js/src/tests/js1_8_5/extensions/typedarray.js
@ -194,6 +194,21 @@ function test()
    check(function() a[2] == 0);
    check(function() a[3] == 0);

+    // check handling of holes and non-numeric values
+    var x = Array(3);
+    x[0] = "hello";
+    x[1] = { };
+
+    a = new Uint8Array(x);
+    check(function() a[0] == 0);
+    check(function() a[1] == 0);
+    check(function() a[2] == 0);
+
+    a = new Float32Array(x);
+    check(function() a[0] == NaN, TODO); // XXX should be NaN, not 0, most likely
+    check(function() a[1] == NaN);
+    check(function() a[2] == NaN);
+
    print ("done");

    reportCompare(0, TestFailCount, "typed array tests");